The present invention relates to the field of information security, and more particularly to the field of firewalls and network access control.
People increasingly communicate via networked computing devices to conduct business and exchange personal information. This has the undesirable consequence of exposing computing devices and the data they store and process to malicious people. To help reduce this exposure and the associated likelihood and consequences of data compromise, organisations can utilise a computing device known as a network-based firewall in an attempt to control which computing devices are allowed to communicate.
The United States Patent and Trademark Office (USPTO) Class Definition for the firewall subclass provides the following example description of a network-based firewall: “Subject matter including a device installed between internal (private) networks and outside networks (public) and which protects the internal network from network-based attacks that may originate from the outside and to provide a traffic point where security constraints and audits may be affected.”
The following paragraphs detail significant undesirable shortcomings with the current state of this firewall technology.
Undesirably, a network-based firewall located on the boundary between an internal network and an outside network typically has no visibility or control of potentially malicious communication between computing devices located on the internal network, since such communication does not traverse the boundary between the internal network and the outside network. Therefore, such a firewall is ineffective at protecting computing devices on the internal network from each other.
Undesirably, there is a significant increase in the use of mobile computing devices which are connected directly to an outside network instead of being connected to an organisation's internal network. Therefore, network-based firewalls located on the boundary between an organisation's internal network and an outside network are becoming less relevant.
Undesirably, the set of rules used by a network-based firewall to determine whether communication between computing devices should be allowed is typically based on the Internet Protocol (IP) address or in some cases the Media Access Control (MAC) address or the name of the computing devices attempting to communicate. It is possible for the IP address, MAC address or name associated with a computing device to easily be changed. Therefore, such a network-based firewall is ineffective at truly understanding which computing devices are attempting to communicate.
Undesirably, malicious people have adapted their techniques enabling them to compromise computing devices using ports and protocols typically allowed by a network-based firewall's rule set. Therefore, such a network-based firewall is becoming less relevant.
The long felt need for alternative network-based protection mechanisms to perform network access control has resulted in existing approaches such as Network Admission Control, Network Access Protection, Intrusion Prevention Systems, domain isolation, host-based firewalls and Virtual LANs (VLANs). These existing approaches focus on complementing network-based firewalls by attempting to address a range of computer security problems that are only somewhat related to the problems identified in the previous paragraphs. Furthermore, existing approaches can introduce additional shortcomings such as the cost of purchasing expensive equipment and recruiting highly skilled specialist staff to implement and maintain complex technologies, lock-in to a specific vendor's approach, limitations on which operating systems can run on the communicating computing devices, as well as a lack of suitability and scalability when applied to networks as large and as distributed as the Internet. There is still a need for alternative network-based protection mechanisms to perform network access control.
Background information unrelated to firewalls but relevant to the present invention is digital certificates and Online Certificate Status Protocol (OCSP), described in “Understanding PKI: Concepts, Standards, and Deployment Considerations” Second Edition authored by Carlisle Adams and Steve Lloyd and published by Addison-Wesley in 2002, which is incorporated by reference. Roughly described, a computing device implementing OCSP responder functionality answers OCSP requests from other computing devices implementing OCSP client functionality that request whether a digital certificate has been revoked. Infrequent cases of digital certificates being revoked by the digital certificate issuer are typically due to the owner of the digital certificate notifying the digital certificate issuer that private information associated with the digital certificate has been lost, stolen or otherwise compromised.